Securing APIs is many things, but not easy. With the increasing reliance on microservices and cloud applications, web-based APIs are becoming increasingly important to the digital strategy of various companies. The only thing that is growing faster than API integration is the amount of API attack traffic, which has recently grown three times as fast as the overall API traffic.
This chilling statistic comes to no surprise, regarding the fact that APIs are often in the blind spot of application security testing methods. In this article, I want to present three reasons why modern white-box testing approaches that are based on fuzzing can help you get to these blind spots to build unbreakable API endpoints.
1. Continuous API Testing
Modern application security testing platforms for API endpoint testing enable developers to implement continuous testing cycles into their CI/CD environment. In most cases, those can be configured to conduct automated fuzz tests on each pull request to ensure that code is secure before it is merged. With a few adjustments, fuzzers can even be set up to run security tests on each code change. Since many fuzzing solutions offer a high degree of automation, they require no expert knowledge to automatically detect API endpoints.
Below, you can find an example of vulnerabilities in the deliberately insecure WebGoat toy project. Most of the countless vulnerabilities hidden all over the place are the typical OWASP pitfalls, including SQL Injections, XSS-Scenarios, etc. A more detailed bug reporting explaining the results from fuzzing in WebGoat can be found here.
2. Full Code Coverage Visibility
Code coverage is one of the most important metrics in application security testing. Without information about the code covered in a test, it becomes difficult to interpret test findings. Modern fuzzing platforms allow for precise code-coverage visibility, as they provide information about the exact percentage of code covered in a test.
3. Simplified Debugging
After a vulnerability or bug is found, modern fuzzers can automatically classify its severity and provide full log information. Since dynamic application security testing (DAST) and interactive application security testing (IAST) tools actually execute the software and feed inputs into the API, most of those tools can identify the input causing the crash. This allows developers to easily debug findings, as they can observe exactly how their application interacts with the crashing input. To ensure that this proceeds as frustration-free as possible, the ideal tool is able to set break-points based on the stack trace leading to the vulnerability.
REST API Security Testing in Action
Implementing modern fuzzing will enable you to build a reliable, fully-automated API endpoint testing-cycle, that provides code coverage visibility and simplifies your debugging efforts. If you want to see how all of the above can be implemented practically, watch this short overview or learn more to get the full recording on how you can automate your REST API testing in 5 easy steps.